[Downloads] Prevent dangerous files from being opened automatically.

chrome/browser/download/download_extensions.cc

Index: chrome/browser/download/download_extensions.cc
diff --git a/chrome/browser/download/download_extensions.cc b/chrome/browser/download/download_extensions.cc
index 623bdf48d855f651fcc7ef343522d450bd9a5fba..6475045897f2e024e8e09345ddacce12fc4b52f4 100644
--- a/chrome/browser/download/download_extensions.cc
+++ b/chrome/browser/download/download_extensions.cc
@@ -227,6 +227,14 @@ DownloadDangerLevel GetFileDangerLevel(const base::FilePath& path) {
   return NOT_DANGEROUS;
 }
 
+bool IsAllowedToOpenAutomatically(const base::FilePath& path) {
+  // This is probably overly conservative, but the intention is that if the file
+  // type was dangerous enough to require prompting, then we shouldn't allow
+  // opening it automatically.
+  base::FilePath::StringType extension(path.FinalExtension());
+  return !extension.empty() && GetFileDangerLevel(path) == NOT_DANGEROUS;

[Randy Smith (Not in Mondays), 2015/06/03 23:44:07]

So we no longer allow ALLOW_ON_USER_GESTURE files to be opened automatically? 
My gut is that that's going to annoy people, though the example I was going to
give was .pdf, which doesn't appear to be a dangerous file type anymore.  Would
it make sense to allow ALLOW_ON_USER_GESTURE types to open automatically iff
they were downloaded associated with a user gesture?  (I know we can't rely on
that, but we've already made the judgement that we're ok with downloading them
with the imperfect signal of a user gesture ...)

[Randy Smith (Not in Mondays), 2015/06/03 23:44:07]

The !extension.empty() test is redundant with the same check in
GetFileDangerLevel(), I think.

[asanka, 2015/06/04 15:30:48]

The check is different. GetFileDangerLevel() returns NOT_DANGEROUS if the file
has no extension. We want files without extensions to return false from this
function since they can't be opened automatically.

Also, regarding the ALLOW_ON_USER_GESTURE behavior: Downloads that had a user
gesture and those that didn't are both equivalent by the time the download
completes. Remember that if there wasn't a user gesture, we would've prompted
the user. In either case, by the end there would be a user gesture.

The only exception to this rule are those files that are now being handled by
SafeBrowsing. Those may not have a user gesture by the end of the download.

+}
+
 static const char* kExecutableWhiteList[] = {
   // JavaScript is just as powerful as EXE.
   "text/javascript",